IoT Can Open Doors to Cybercriminals, FBI Warns

By John P. Mello Jr.
Sep 16, 2015 1:22 PM PT

The FBI on Monday warned businesses and consumers to be careful when deploying devices that connect to the Internet of Things.

As more companies and consumers use IoT devices to improve efficiency and convenience, their connection to the Internet creates opportunities for cybercriminals, the FBI said in a public service announcement.

The "Internet of Things" is a broad term that encompasses myriad devices that connect via cyberspace, including the following: heating, ventilation and air conditioning controls; Web cameras; medical devices like wireless heart monitors and insulin pumps; wearables including smartwatches and fitness bands; lighting controls; smart appliances; office equipment; equipment used to control music or TVs from a mobile device; and fuel-monitoring systems.

Criminals can use those opportunities to remotely attack other systems, send malicious emails and spam, steal personal information, or interfere with physical safety, the FBI said.

Timely Warning

The FBI aims to clear up questions consumers may have about devices they're bringing into their homes to make them smarter, FBI spokesperson Carol Cratty said.

"As technology progresses, many consumers have questions about possible vulnerabilities involving the numerous Web-connected devices now in use, which led to the public service announcement," she told TechNewsWorld.

The FBI's warning could awaken a greater sense of urgency to address the IoT's mounting security risks.

"I was pleased to see it. Someone in society has to tell the industry to drive more carefully," said Stephen Cobb, a senior security researcher at Eset.

"This is timely for the government to say that there are issues with the Internet of Things," he told TechNewsWorld.

'Great Leap Forward'

"I've been impressed with the FBI over the last five years," said Terrence Gareau, chief scientist at
Nexusguard.

"They've made great improvements to work with companies and individuals to proactively alert them and keep them safe," he told TechNewsWorld.

While the FBI is warning users about vulnerabilities that already may exist, it's important that companies build devices from the ground up with security in mind.

"One thing that's happened over the last 10 years is we've started to recognize vulnerabilities before they appear in new technologies," said Richard Stiennon, chief research analyst at
IT-Harvest.

"That's a great leap forward," he told TechNewsWorld.

Unintended Consequences

Although many of the security risks posed by IoT devices are localized -- attacks on a single home or a public access point -- local attacks can have larger consequences, especially if a device is a data repository.

"Home attached storage devices often have work content on them that leaks out," said Alastair Paterson, CEO of
Digital Shadows.

In one case, for example, a bank contractor backed up his laptop to an attached storage device on his home network, he said. Attackers breached the NAS and shared the bank's ATM network specifications over the Internet.

A similar breach occurred with the blueprints of a headquarters building for a large institution in Switzerland, Paterson told TechNewsWorld.

Protect Yourself

Security hasn't been a priority of IoT device makers.

"Early implementation of IoT was done very poorly," said Jean-Philippe Taggart, a senior security researcher at Malwarebytes.

"The manufacturers are trying to keep the costs down, and that's often detrimental to the security of the devices," he told TechNewsWorld.

"A lot of the consumer devices weren't designed with security in mind," said Jeff Wilson, principal analyst for security at IHS Technology.

"They were just trying to get cheap cameras out the door and get people to buy them. They didn't think that hard about what could be done from a hacker's point of view," he told TechNewsWorld.

The FBI recommended a number of steps businesses and consumers can take to protect themselves from IoT attacks:

Isolate IoT devices on their own networks;

Disable Universal Plug and Play network protocols;

Purchase devices from makers with good security track records;

Change a device's default password and use strong passwords on all devices;

Keep a device's software or firmware up to date with latest patches;

Use best practices when connecting a device to a network; and

Be aware of connectivity of any home medical devices.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on
Google+.